XCOM for z/OS secure transfers using AT-TLS
search cancel

XCOM for z/OS secure transfers using AT-TLS

book

Article ID: 273874

calendar_today

Updated On:

Products

XCOM Data Transport - z/OS XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows

Issue/Introduction

Looking at enabling XCOM for z/OS file secure/encrypted transfers:

  1. Can AT-TLS be used for the encryption part on z/OS?

  2. Does the remote XCOM partner need configuration changes as well?

  3. Will certificates be required?

Environment

  • XCOM™ Data Transport® for z/OS
  • XCOM™ Data Transport® for Windows
  • XCOM™ Data Transport® for Linux PC

 

Resolution

  1. Can AT-TLS be used for the encryption part on z/OS?
    Yes XCOM is an AT-TLS aware application per the article: XCOM is an AT-TLS aware application
    Here are some doc. pages with more details:
    XCOM™ Data Transport® for z/OS 12.0 > Release Notes> New Features
    XCOM™ Data Transport® for z/OS 12.0 > Getting Started > Features > AT-TLS Support

  2. Does the remote XCOM partner need configuration changes as well?
    No changes are required on the remote partner but AT-TLS* parameters provide a degree of control for starting multiple listeners depending on different partner requirements: Are AT-TLS parameters mandatory in XCOM CONFIG to use AT-TLS

  3. Will certificates be required?
    Yes, just like using normal secure transfers, certificates will be required.


Other important information:

  1. Under z/OS where AT-TLS is being used:
    • To initiate a secure transfer DO NOT use SECURE_SOCKET=YES in the XCOM parameters.
      The idea is that XCOM starts an unsecure transfer. AT-TLS makes it secure, XCOM notices the fact and issues messages informing that the connection is protected by AT-TLS. The transfers must be addressed to the SSL port at the partner.
    • To initiate an unsecure transfer, the transfer needs to address the non-SSL port at the partner and the AT-TLS policies need to be set up so that this connection is not managed by AT-TLS so that it proceeds in clear text.

  2. To initiate a secure transfer from a remote partner that is not using AT-TLS:
    Continue to use SECURE_SOCKET=YES.
    This applies to all non-z/OS platforms and also z/OS where IBM System SSL is being used.

Additional Information

XCOM Engineering had this additional advice:

  1. Any remote XCOM for Windows/Linux 11.6 system should have one of the latest patches applied because Engineering had to correct a few things on the distributed side to make it work with AT-TLS. See the below problem numbers and referenced solutions from 2021: 
    Transfer from z/OS to Windows using AT-TLS fails
    Transfer from z/OS to Linux using AT-TLS fails
    Due to their later release date, the XCOM for Windows/Linux 12.0 versions have those changes in the GA version.

  2. AT-TLS is XCOM's stated direction for data encryption support on the z/OS platform, so if you are going to the trouble of setting up encryption then you should use AT-TLS.
    XCOM's chosen method of supporting TLS 1.3 is via AT-TLS and that is the path forward for supporting encryption technology: Improving XCOM Data Transport transfers with TLSv1.3
    Support for OpenSSL on z/OS has already been removed and at some point (as yet undetermined) System SSL will likewise be removed.
Powered by Wolken Software